Hackers are using India’s postal system to lure victims into clicking on malicious messages, according to a new report.

The campaign likely aims to steal users’ personal and financial information, according to the research published Thursday by cybersecurity firm Fortinet.

The scam targets iPhone users with iMessages that falsely claim a package is awaiting pickup at an India Post warehouse. The messages often contain a short link leading to a fraudulent website that impersonates India Post.

The threat actors send malicious messages via iMessage directly to the recipients’ registered Apple ID email addresses. The sender ID could be a newly registered Apple ID or a compromised account, researchers said.

The malicious India Post website asks users to provide their name, full residential address, email ID, phone number and debit and credit card information for a payment allegedly required for redelivering the package.

The hackers can use this information in future operations to send phishing emails, spread disinformation or distribute malware, researchers said. 

According to Fortinet, the campaign could be linked to China, as half of the 470 discovered domain registrations mimicking India Post’s official domain were registered via a Chinese company.

“The notable concentration of registrations through a Chinese registrar certainly raises substantial concerns about the underlying intentions,” researchers said.

Fortinet suggested that the campaign against Indian users “may serve as a strategic initiative to raise funds to fuel operations in China.”

Earlier reports about this campaign linked the India Post-themed attacks to a China-based threat actor known as the Smishing Triad.

The group has conducted similar operations before. Last December, it attempted to steal personal and financial information from residents and visitors of the United Arab Emirates in a text-based phishing campaign.

The hackers sent malicious text messages purportedly from UAE authorities, luring victims into providing data such as home addresses, phone numbers and credit card information.

Fortinet said the latest campaign against Indian users likely required substantial investment to register and host hundreds of domains.

This highlights “the threat actors’ commitment, the phishing operation’s scale, and its potential long-term impact,” researchers said. Researchers did not disclose the number of users affected by the scam.

“We believe that the likelihood of numerous victims falling prey to these scams is increased, leading to substantial financial losses, data breaches, and other security issues for individuals and organizations targeted by these domains.”

Postal delivery scams affect customers worldwide, including those in the U.S. For example, UPS and FedEx courier services have previously warned their customers about fraudulent telephone calls, text messages and emails disguised as official communications from the companies, but which in reality come from scammers.